hxxps://windowsdefender[.]site/download/download[.]php?mn=9996

Analysis

max time kernel
45s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://windowsdefender.site/download/download.php?mn=9996

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133229654525305292"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 5076	3204	chrome.exe	85
PID 3204 wrote to memory of 5076	3204	chrome.exe	85
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4416	3204	chrome.exe	86
PID 3204 wrote to memory of 4804	3204	chrome.exe	87
PID 3204 wrote to memory of 4804	3204	chrome.exe	87
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88
PID 3204 wrote to memory of 892	3204	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://windowsdefender.site/download/download.php?mn=9996
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3e0f9758,0x7ffc3e0f9768,0x7ffc3e0f9778
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3940 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3320 --field-trial-handle=1800,i,15952670352140936878,7974489301565264050,131072 /prefetch:8
  2⤵
  PID:1848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d1fafb5b8479bcd698e5ccddade7211e

SHA1
d70dd14c55513bffaf2897e5a82360d59917c929

SHA256
d898a9f22ba444663dc73502f2916b5f89feb508e5932d5b1d88c2a92bbe8692

SHA512
0b7871fffc880e90bc5d5e6a30cd26826a2c734f6b2f23af20791437e829e7268b3474c0d2858188a4907dd8b23372747a069b4fc195afabb1e0e4049dac0031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ab222ddb60c90f8b8c7b91780bdd0e6

SHA1
54077f13df07543da84505c67c3672537468d40c

SHA256
bbf586039050f1f1f96133b8a95f2f24086c02ae4ed14a3694a207b7043c711a

SHA512
4734e30a58b1192ad09a48538ec3a98429c920c7afe57bf8d1d4de9b236b7e465dcfdbe3e45ae9556286813f3e9f5134e7dc594bc69f203556279363dabee679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9acffa4a77daeb09c5b023f9ed749a22

SHA1
4eca31661c900246eedd969054db5e21889f6b83

SHA256
0eaf38a8f9eefd81822db2f86ca1335e723ff58e533d8969f66e331ec5a99031

SHA512
bca5a6f4b88980cc9f7f72c54c9ac37cee0f68fa9d3fad6deb934d1fcf415bfbd0596af860b78baa35ffc797299d5164e69943dcfe2c3df8090c65940ce2ff44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4e4195f22bdcb8b622b3e703219accca

SHA1
5e06a5060782f150a7d73582e86d917fe4cc88cb

SHA256
af6a7c6e8ea9410cca98c5ee22ce67d647e144343d009e2db034ec0ecdd1ef5f

SHA512
00f6773b9f57df7300c3e003961f72e0a8a136634f56c6b10f73abcee6cc8588fc1791135e8e285d5ce78d9364558a002f5568e8807378bb3add3bfae41aeee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
bf0939fb66ad9b4201b978829ae68db1

SHA1
6e548ac620dfd84f19a83ed38b560a536a54bcd3

SHA256
fd5d5583bda37f16db67ae40649b76c7662773995dd7d0ba9b70827944e29234

SHA512
e5f4a0ee05153fd28c132145c767a9c43efc1d1cee438d50901ea938605e04fcdaf2be907024ba415b4e333bdd1f1ba425af8913527f34bece08a005ef86e357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
41ec5b75420bb23075b1b7cdbbc0bddb

SHA1
f82576795012ad6b91a827b73c891829c7d6d4b6

SHA256
a55fdeab01d79bd119be75a07485cae71985c30967cd4d79df94e7db86720d76

SHA512
00545dc1bbe5b7330113fb26641dcadb4e6b05346c5ffb46f00789486a0375e30b7aaea4199a6b209aad928c50f47b2b0f2d58f3b20a400a2d33e32774c1305d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit